Q&A: Elastica CTO Zulfikar Ramzan, on Heartbleed and online security

Zulfikar Ramzan, Chief Technology Officer of Elastica during an interview with this newspaper on April 29, 2014. (Dai Sugano/Bay Area News Group)
(
Dai Sugano
)

SAN JOSE -- Zulfikar "Zully" Ramzan had been alerted to concerns about an Internet security bug called Heartbleed before word spread around the world that everyday passwords and sensitive account information were at risk of being breached.

Ramzan, the chief technology officer at a San Jose-based, cloud-security company called Elastica, dug into the Heartbleed program and instantly saw the problem that put untold millions of accounts at risk.

"I could immediately tell it was a very simple flaw that would have very profound ramifications," Ramzan said.

He then made an instructional video about Heartbleed and quickly became known for easily explaining the bug's flaws and alerting consumers to its dangers.

Ramzan talked with this newspaper from his Santana Row offices. The interview has been edited for length and clarity.

Q: How does Heartbleed put people at risk?

A: When you're accessing your password and user name to say, your bank, a bad guy can send a command over the open-source channel though a "heartbeat" protocol message. The bank's computer may send a simple message like "howdy,5." If a bad guy tells the bank's computer that "howdy,5" is actually 65,000 characters instead of five, it's going to copy the next 65,000 characters in your account and reply back with all that data like passwords, user names, credit card information, everything that you thought was secure. This is not complicated. But nobody had looked at this code very carefully.

Advertisement

Q: You have a Ph.D. from MIT and a double bachelor's from Cornell. Were you brought up in a family that valued computers and talked about issues like cryptography and cybersecurity?

A: My parents did not even graduate high school and emigrated from Tanzania in 1977 to Queens, New York, where my father first worked in a coffee shop before opening his own small coffee shop in the back of a warehouse. In school I got one of those Scholastic Book Clubs books that had simple cypher codes and I was fascinated by the challenge.

When I was 7, my parents paid $100 for a Commodore VIC-20 for me. The VIC-20 didn't even have floppies or a tape drive. So when I started writing basic programs, like printing my name or simple puzzle games or math games or simple graphics like going through a maze, I had no way to store them. When I would turn the computer off, that was the end. It was like a Zen gardening experience.

Q: With your math, computer and language background, you sound like a prime candidate for a CIA recruiter.

A: Right after the movie "Good Will Hunting" came out (including a scene of math whiz Matt Damon talking to a NSA recruiter), I met with the main recruiter for the NSA at MIT. He talked about how his role as an NSA recruiter was portrayed in the film. I was interested in the math the NSA had that no one knew anything about. But you were not allowed to talk about what you did. The NSA did send me the background check package, but I never filled it out.

Q: As a cybersecurity expert, have you ever been victimized? And how do you protect yourself?

A: I did have my credit card hacked, and someone was making purchases in France. I'm very private about my family and never post Facebook photos of my kids. Some of my friends don't even know that I have kids.

Q: Why do Elastica's clients come to you?

A: Companies have employees who share files through their corporate laptops through Box, Google Drive, Dropbox or Salesforce that's sensitive, intellectual property. Using computer algorithms, we build a profile of every single user and monitor what's going on and give the company everyone's activity in real time. Anomalies can be detected within minutes, for instance if someone is downloading a lot of data. Our customers are pretty surprised when they actually see the hard numbers because they tend to be completely in the dark.

Q: After you've audited a company's activities, how often do they slip back into sloppy behavior?

A: All the time. But we can enforce their policies automatically and block someone from sharing files outside of the company. If you have automation built in, it's very easy to comply.

Age: 38Current job: Chief technology officer for Elastica, based in San Jose's Santana RowPrevious jobs: Adviser to Elastica; chief scientist for Sourcefire, a network security company, and Immunet, a company focused on malware defenseEducation: Ph.D. in electrical engineering and computer science from the Massachusetts Institute of Technology; double bachelor of arts from Cornell University in computer science and math, with a minor in RussianFamily: Wife, two childrenResidence: Cupertino

FIVE THINGS TO KNOW ABOUT ZULFIKAR RAMZAN

1. Born in Dar es Salaam, Tanzania. 2. Zulfikar roughly translates to "Excalibur" in Persian. 3. Stopped taking math courses as a senior at the elite Bronx High School of Science, but taught himself pre-calculus and calculus through library books because he wanted to understand the deeper meaning behind mathematic formulas. In one night, he taught himself the first three months of calculus instruction.4. Childhood dream was to play second base for the New York Mets.5. Earned his first of more than 40 patents as a student intern at Bell Labs, for writing encryption algorithms that ended up in routers.